The domain name system (DNS) is what makes the dimension of the internet today possible in the first place. The entire communication on the internet requires domains to be translated into IP addresses. So it is no wonder that cybercriminals already start manipulating the system at this point.
How can cybercriminals take advantage of domains?
As the essential component of the internet, the DNS assigns the domain names to the IP addresses behind the online services.
This not only enables legal activity: the DNS also provides space for malicious intent. Cybercriminal actions, like the distribution of spam emails, phishing attacks and the spread of malware, require domains in order to function. As domains play such a central role in cybercrimal activities, it is all the more important to set up an effective prevention system.
The EURid registry developed the early warning system with KU Leuven, the University of Leuven in Belgium (.be). Research discovered that domains were also being traded in darknet forums. Amongst others, the service “Domain and Email Registration as a Service” was offered on the AlphaBay forum. The amount of malicious registered domains that were found, along with the fact that the registration process had been automated and monetized by criminals, made it very clear that an effective system was needed to combat domain misuse.
Protective measures used up to now: blacklists
A common measure implemented in the fight against malicious registered domains is the use of blacklists. This involves so-called reputation providers curating domain names that have been connected to internet-based attacks. The incoming and outgoing communication with the respective domains is then blocked. These lists have become much more agile and domains are blocked as soon as a pattern of attack behaviour is diagnosed. Nevertheless, action can only be taken once damage has already taken place.
To counter these blacklists, cybercriminals started using hit-and-run tactics, which means that they registered masses of deletable domains in order to keep their criminal actions going. These registered domains are only active for a very short period, in 60 % of the cases for only a day. This naturally reduces the efficiency of using such blacklists.
This situation led to the necessity of recognizing domain registrations linked to malicious intent before criminal activity could even take place. And this is exactly where the APEWS system developed by EURid comes in.
APEWS: The AI-based early warning system developed by EURid
The Abuse Prediction and Early Warning System (APEWS) was developed in cooperation with researchers at KU Leuven and launched by the registry EURid in December 2019. APEWS is designed to prevent the abusive use of domain names before any damage can occur.
The abuse prevention and early warning system recognizes potentially malicious domain registrations before the associated domains are made publicly available. This is the fundamental difference to blacklists, which only provide protection after some damage has occured.
Domain registrations were evaluated over a period of eleven months in order to pinpoint patterns that indicate malicious registrations.
These studies led to the identification of 22 characteristics that are already evident at the time of registration. They are derived via a Convex Polytope Machine and automatically recognized by the developed system.
Success: APEWS in combat against cybercrime
The registered domains linked to misuse examined during the study had a comparatively short lifetime. However, 80 % of the domains were associated with 20 long-term campaigns of differing periods and intensity. A campaign in this sense is the registration of an entire series of domains carried out automatically by cybercriminals.
The operative implementation of such an early warning system is subject to rapid changes in a real and living environment as criminals actively adjust their tactics. This means that APEWS must undergo continuous development.
A fun fact that also emerged during the study: cybercriminals also have fixed working hours and go on holiday. And they also make typos when selecting and registering domains.
How does EURid counteract potential domain misuse?
When a registered domain is classified as potentially malicious by APEWS, the domain delegation in the .eu zone is delayed. The status “server hold” is displayed in WHOIS.
Although the domain is registered, services that are linked to the domain, like resolving to a website or email service, are suspended until a manual check has been completed.
The registry EURid contacts the domain owner recognized by APEWS in order to confirm the registration data and to request confirmation of identity. Cybercriminals usually use falsified registration details and change identities, registries and resellers in order to avoid being discovered.
If the registrant can provide sufficient proof of identity, the domain is delegated for the .eu zone. If the domain has been registered for criminal purposes, it is blocked and withdrawn. After a suitable period of time, it is made available for registration again.
The research will be furthered by using a combination of current classifications drawn up with the help of machine-based learning and predictions based on clustering to generate similarities to such domains. Since its launch at the .eu registry, 58,966 cases of malicious domain registrations have been discovered.
Supported by the automated identification process, the research involved in the development of APEWS can be used to track long-term campaigns and extend the blacklists to include malicious domains that have not yet been used for criminal activity.
Even after only a short period of implementation, this research paper won an award at the Annual Computer Security Applications Conference (ACSAC) for already offering added security. APEWS was also distinguished with an ECO Award.
InterNetX is proud to be a partner of EURid. If you would like to find out more about our partnership, please click here.